Hey everyone! I'm looking for advice on the best approach to establish a brand new AWS organization for our startup. We're considering using AWS Control Tower to get started, and then incorporating tools like Spacelift and OpenTofu for infrastructure as code. I'd love to hear your thoughts on this strategy and any other recommendations you might have!
5 Answers
Don't forget, AWS also offers both a prescriptive guide and code examples for setting this up. Check out the AWS Security Reference Architecture for useful templates in CloudFormation and Terraform.
Honestly, I would steer clear of using Control Tower if possible. It can be a bit finicky and removing it later is quite a hassle. Most of what it does can be replicated manually with better performance. AWS has extensive resources to help you set things up without it, which I strongly recommend checking out before going down that path.
I suggest starting with AWS Control Tower and then leveraging the Landing Zone Accelerator provided by AWS. This setup is great for adding new organizational unit (OU) accounts easily. After that, you can implement whatever infrastructure as code (IaC) tool you prefer.
Absolutely! Using Account Factory is a game-changer, it outputs accounts ready for management in HCP Cloud.
When customizing Control Tower, use it to set up your federated access roles for AWS SSO (now known as Identity Center), IAM roles for CI/CD, and managing your Service Control Policies (SCPs). Make sure to strategize your OU tree well. Having clear root level OUs like eng/test/prod really helps with permissions and organization down the line.
Think about your startup’s future. If your needs are simple now, Control Tower could work. However, be mindful of the regions you choose for setup, as some services like Managed AD and IAM Identity Center have regional restrictions. Do your homework on the documentation before diving in.
I recently did just that for a non-profit, and skipping Control Tower for pure Terraform really paid off. I wish I’d known about the Terraform reference from AWS that another user mentioned!
Definitely! Just remember to integrate AWS SSO before you start creating new accounts! That will save you some hassle down the line.